Expand description
§windows-wfp — Windows Filtering Platform (WFP) Wrapper
Safe Rust wrapper around Windows Filtering Platform APIs.
This crate provides a high-level, memory-safe interface to the Windows Filtering Platform (WFP), the kernel-level firewall API in Windows. It handles all the complex FFI interactions, memory management, and path conversions required for WFP to work correctly.
§Features
- WFP Engine Management - RAII-based session lifecycle with automatic cleanup
- Provider & Sublayer - Registration of custom firewall provider with high priority
- Filter Creation - Builder-pattern filter rules with automatic DOS-to-NT path conversion
- Event Subscription - Real-time monitoring of network events (learning mode)
- Memory Safety - All Windows handles managed with RAII, minimal unsafe code
§Quick Start
use windows_wfp::{WfpEngine, FilterBuilder, FilterRule, Direction, Action, FilterWeight, initialize_wfp};
// Open WFP engine (requires Administrator)
let engine = WfpEngine::new()?;
// Register provider and sublayer
initialize_wfp(&engine)?;
// Block an application
let rule = FilterRule::new("Block curl", Direction::Outbound, Action::Block)
.with_weight(FilterWeight::UserBlock)
.with_app_path(r"C:\Windows\System32\curl.exe");
let filter_id = FilterBuilder::add_filter(&engine, &rule)?;
// curl.exe is now blocked at kernel level!
// Clean up
FilterBuilder::delete_filter(&engine, filter_id)?;§Path Conversion
CRITICAL: WFP operates at the Windows kernel level and requires NT kernel paths. This crate automatically converts DOS paths to NT kernel format:
- DOS path:
C:\Windows\System32\curl.exe(what you provide) - NT kernel path:
\device\harddiskvolume4\windows\system32\curl.exe(what WFP needs)
Without this conversion, filters would be added successfully but would never match
any traffic. This crate handles the conversion automatically using FwpmGetAppIdFromFileName0.
§Event Monitoring
Subscribe to network events for learning mode:
use windows_wfp::{WfpEngine, WfpEventSubscription};
let engine = WfpEngine::new()?;
let subscription = WfpEventSubscription::new(&engine)?;
loop {
match subscription.try_recv() {
Ok(event) => {
println!("Event: {:?}", event.event_type);
println!("App: {:?}", event.app_path);
}
Err(std::sync::mpsc::TryRecvError::Empty) => {
std::thread::sleep(std::time::Duration::from_millis(100));
}
Err(_) => break,
}
}Re-exports§
pub use condition::IpAddrMask;pub use condition::Protocol;pub use engine::WfpEngine;pub use errors::WfpError;pub use errors::WfpResult;pub use events::NetworkEvent;pub use events::NetworkEventType;pub use events::WfpEventSubscription;pub use filter::Action;pub use filter::Direction;pub use filter::FilterRule;pub use filter_builder::FilterBuilder;pub use filter_enum::FilterAction;pub use filter_enum::FilterEnumerator;pub use filter_enum::FilterInfo;pub use layer::FilterWeight;pub use provider::initialize_wfp;pub use provider::WfpProvider;pub use provider::WfpSublayer;pub use transaction::WfpTransaction;pub use constants::*;
Modules§
- condition
- WFP filter condition types
- constants
- WFP GUID constants
- engine
- WFP Engine wrapper with RAII handle management
- errors
- WFP error types
- events
- WFP Network Event Subscription (Learning Mode)
- filter
- WFP filter rule definition
- filter_
builder - WFP Filter translation from FilterRule
- filter_
enum - WFP Filter Enumeration
- layer
- WFP layer selection and filter weight constants
- provider
- WFP Provider and Sublayer management
- transaction
- WFP Transaction wrapper with RAII rollback